fartyalvikram
New Member.
179 views

SSPR user changing password with wrong branch

I have User Application configured with Access Manager using SAML and configured reverse proxy of SSPR.
I have configured "ou=Users,ou=AM,o=test" branch inside SSPR.

Below is my scenario, which I have tested in my environment
1. Login with test user into User Application (This test user is Password is expired and user is exist in "ou=Users,ou=OAM,ou=TestCon,o=test" branch which is not configured in SSPR)
2. After click on “Sign In” button of login page, user is redirecting to SSPR Change Password page (Configured in Access Manager Contract)
3. Put new password and click on “Change Password” button
4. Password is successfully changed.

How the user from "ou=Users,ou=OAM,ou=TestCon,o=test" branch is able to change the password through SSPR when SSPR is not configured for that branch.

I am using Access Manager v4.3.1 and SSPR v4.3
0 Likes
3 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: SSPR user changing password with wrong branch

fartyalvikram;2500507 wrote:
I have User Application configured with Access Manager using SAML and configured reverse proxy of SSPR.
I have configured "ou=Users,ou=AM,o=test" branch inside SSPR.

Below is my scenario, which I have tested in my environment
1. Login with test user into User Application (This test user is Password is expired and user is exist in "ou=Users,ou=OAM,ou=TestCon,o=test" branch which is not configured in SSPR)
2. After click on “Sign In” button of login page, user is redirecting to SSPR Change Password page (Configured in Access Manager Contract)
3. Put new password and click on “Change Password” button
4. Password is successfully changed.

How the user from "ou=Users,ou=OAM,ou=TestCon,o=test" branch is able to change the password through SSPR when SSPR is not configured for that branch.

I am using Access Manager v4.3.1 and SSPR v4.3


Assuming you are identity injection for SSPR SSO from Access Manager, make sure the username your injecting is the LDAP DN, not the CN attribute.
0 Likes
fartyalvikram
New Member.

Re: SSPR user changing password with wrong branch

Yes, I am using Identity Injection policy and configured "LDAP User DN" for Authentication Header User Name.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: SSPR user changing password with wrong branch

fartyalvikram;2500611 wrote:
Yes, I am using Identity Injection policy and configured "LDAP User DN" for Authentication Header User Name.


I would still assume the wrong user is being authenticated some how. Once authenticated SSPR uses the DN for all connections so it's unlikely to be mixed up during the session.

Check that the account information page in SSPR shows the correct DN (DN isn't shown by default, you'll have to enable it in settings.)

If it's not, then turning the logs to DEBUG or TRACE level and watching during an authentication will probably give some indication as to why.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.